WO2007039904A2 - Procede et systeme de securisation des entrees d'un dispositif exterieur vers un hote - Google Patents

Procede et systeme de securisation des entrees d'un dispositif exterieur vers un hote Download PDF

Info

Publication number
WO2007039904A2
WO2007039904A2 PCT/IL2006/001158 IL2006001158W WO2007039904A2 WO 2007039904 A2 WO2007039904 A2 WO 2007039904A2 IL 2006001158 W IL2006001158 W IL 2006001158W WO 2007039904 A2 WO2007039904 A2 WO 2007039904A2
Authority
WO
WIPO (PCT)
Prior art keywords
host
external device
cpd
connection
data communication
Prior art date
Application number
PCT/IL2006/001158
Other languages
English (en)
Other versions
WO2007039904A3 (fr
Inventor
Avner Rosenan
Zvi Gutterman
Dor Skuler
Gil Sever
Original Assignee
Safend Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Safend Ltd. filed Critical Safend Ltd.
Priority to US12/089,128 priority Critical patent/US8954624B2/en
Priority to EP06796151A priority patent/EP1940405A4/fr
Priority to AU2006298428A priority patent/AU2006298428B2/en
Publication of WO2007039904A2 publication Critical patent/WO2007039904A2/fr
Publication of WO2007039904A3 publication Critical patent/WO2007039904A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices

Definitions

  • the present invention relates to the field of security of data communication between an external device and a host computer, and, more particularly, to securing the communication between a host and an external device in such a manner that the host can authenticate the external device and the data transportation over the connection is encrypted.
  • An exemplary host may be a personal computer, a workstation, a desktop computer, mainframe computer, blade server (e.g. CITRIX), dumb terminal, etc. or any other type of computing device that can be connected over a private network.
  • an external device such as a keyboard can give rise to such a risk.
  • the risk is apparent for communication that occurs between the keyboard and the host to which it is connected (i.e., via a Universal Serial Bus (USB) connector).
  • USB Universal Serial Bus
  • a hostile entity that operates to listen to the communication between the keyboard and the host may gain valuable information, such as passwords, user names, bank account numbers, etc. This information may be used later to damage the organization.
  • Information regarding the details of operation and specifications of USB technology can be found in web site www.usb.org, the content of which is incorporated herein by reference.
  • Listening to the data transportation over a connection between an external device and its host may be done by temporarily disconnecting the external device from its socket and placing a hardware intrusions (also known as bugs) onto the socket and reconnecting the external device to a socket at the other side of the hardware bugs, using the hardware bugs as an extender of the socket.
  • An exemplary hardware bug can be a device known as 'keylogger'.
  • a keylogger is a small hardware device that can be plugged between the cable of a USB keyboard and the USB connector.
  • a keylogger can be purchased from a 'spy shop'. Placing and removing the keylogger is simple and fast and can be done by cleaning staff, for example. After being removed from its victim computer, the recorded information can be retrieved from the keylogger and processed by the hostile entity.
  • a transmitter instead of keylogger.
  • Such a device can detect and transmit the data transported over the connection, to a receiver that collects and stores the information.
  • a transmitter can intercept a connection between a printer and its host, or an external disc and its host, etc.
  • Another technique that has been posed to address this problem includes gluing the connector of the external device to its socket in the host computer. This method eliminates placing a hardware bug between the socket and the cable, however this technique, in essence operates to convert the two units, the host and the external device, into single device. It should be appreciated that this may create difficulties when one of the devices needs to be replaced or transported. Yet another existing option is using a secured keyboard, such as a keyboard that includes an encryption mechanism. In such embodiments, the recorded/transmitted data is encrypted and cannot be used by the hostile entity.
  • modified secured keyboards may be from the same type of the installed secured keyboards, which have been modified to include a keylogger in front of the encryption mechanism. Then, the modified secured keyboards may be installed instead of the legal secured keyboard. Because a common secured keyboard does not have authentication capabilities, the switching of the keyboard will be transparent to the user as well as to the organization. In addition, an organization would like to have control on external devices such as, but not limited to, keyboards that are connected to user's computers that are connected to its private network.
  • exemplary external devices can be, but are not limited to, keyboards, printers, scanners, etc.
  • An exemplary method may use a device that can be connected between an unsecured external device and its socket in a host computer and that operates to convert the unsecured device into a secure device or alternatively the device can be added as an inherent module of the external device.
  • a method and system for inspecting the continuity of the connection between an external device and the host Such a technology is needed to identify whether the connection has been broken for a period of time and in response to identifying a penetration, take preventive actions to eliminate damages.
  • Embodiments of the present invention meet the above-described needs in the art by providing a method and system for protecting the communication between an external device and a host computer.
  • One exemplary embodiment provides a method and system for inspecting the pureness of a connection between an external device and a host computer. If a disconnection of an external device and its host computer has been identified, an indication can be sent to the host and, in parallel, the external device may be disconnected or otherwise disabled.
  • An exemplary connection protector device may be added to the connection between the external device and the host.
  • the CPD can have two connectors or interfaces, one for the host and one for the cable of the external device.
  • the CPD can be adapted to identify any disconnection or interruption in the connection with the host and/or the connection with the external device on the other side of the CPD.
  • a host computer can be adapted to obfuscate the data transportation from an external device by manipulating existing features of the external device without using a CPD.
  • an embodiment of the present invention may utilize a configuration procedure of a keyboard to obfuscate the data transportation coming from the keyboard.
  • a Common keyboard can be configured by a host to use a scan mode that matches the processor of the host. For example, in PS/2 a "Scan-Code" 1 is used when an XT computer is the host while "Scan-Code" 2 matches other type of computers.
  • a host computer in such an embodiment of the present invention, may alternate randomly or pseudo randomly between "Scan-Code” 1 and "Scan-Code” 2.
  • a look up table LUT
  • LUT look up table
  • a connection protector device may be an integrated part of the external device.
  • the integrated CPD can be adapted to identify any disconnection in the connection with the host.
  • the terms "inherent CPD”, “integrated CPD” and “internal CPD” are used interchangeably.
  • Sensing the continuity of the connection can be done mechanically, by using an interlock switch mechanism at one or both of the connectors, for example.
  • sensing the continuity of the connection can be done electronically, using an internal power source (a battery, e.g.) or the power source of the host.
  • both techniques can be used, the mechanical and the electronic one.
  • an exemplary integrated or external CPD may inform the host, when the connection is renewed, about the disconnection and wait to receive further instructions.
  • the integrated or external CPD in parallel to informing the host, the integrated or external CPD can block the communication between the external device and the host.
  • recovery from a disconnection session may require replacing of the external CPD and installing a new one.
  • the CPD is an integrated part of the external device, then the entire external device has to be replaced.
  • a reset session can be performed electronically by an authorized person, such as an administrator of an organization, for example.
  • an exemplary embodiment of the present invention may require a software module, such as a device driver, to be installed in the host for communicating with and controlling the CPD.
  • the device driver can be installed with or without an application program for communicating with a user
  • the device driver can communicate with a security server if one exist in the particular implementation.
  • a software module related to the CPD can be installed and operate in a manner to serve as an interface between the relevant port driver and the device driver level.
  • an exemplary embodiment of the present invention may be associated with a security server that is used by the organization.
  • An exemplary security server is disclosed in international publication number WO 2005/054973, the content of which is incorporate herein by reference.
  • the security server may be adapted to communicate with the application at the host that is associated with the CPD 5 to retrieve status information on the pureness of the relevant connection.
  • the server may include a revocation list.
  • the revocation list may include information or identifications of CPDs that are suspected to be infected, have previously been rejected or have been reported as lost. A copy of the revocation list can periodically be sent to the plurality of hosts that are connected to security server.
  • the integrated or external CPD and the host are adapted to encrypt/decrypt the transportation between them.
  • the encryption algorithm can be a common encrypting and authenticating algorithm including but not limited to Secure Socket Layer (SSL), for example.
  • SSL Secure Socket Layer
  • Other exemplary embodiments of the present invention may use two separate algorithms, one for authentication and one for encryption.
  • an RSA algorithm or Diffie Hellman algorithm can be used for authentication while an AES, or DES, or Tipple DES algorithms can be used for symmetrical encryption.
  • the CPD and the host are configured using a certificate, which was signed by the security server, for example.
  • the signed certificate includes a public/private key pair.
  • the external CPD During power on or bootstrapping the external CPD is transparent to both ends, and thereby enables the host to communicate with the external device to set the connection with it.
  • the CPD can be configured to operate as a hub, for example a USB hub for a USB external device.
  • the CPD can be configured as a shunt or a short circuit and thereby transfer the information as is.
  • a key exchange session is initiated by the host.
  • the integrated or external CPD sends its signed certificate to the host. This process is referred to as associating the CPD with the host and an exemplary embodiment involves the following steps:
  • the host upon receiving the signed certificate and authenticating the CPD, the host responds by drawing a random number that is used as a sessional key,
  • the sessional key is encrypted using the public key - the public key is embedded in the signed certificate (It should be appreciated that other exemplary embodiments of the present invention may use other key exchange protocols for transferring the sessional key, such as but not limited to Diff ⁇ e-Hellman for example),
  • the CPD upon receiving the encrypted sessional key, decrypts the sessional key using its private key (at this point it should be appreciated that both ends of the connection are using the sessional key to encrypt/decrypt the communication between the CPD and the host) (the encryption/decryption of the communication between the CPD and the host can be based on a symmetrical algorithm such as, but not limited to, AES, DES, etc.)
  • an SSL protocol can be used for authenticating the external device and for encrypting the communication between the external device and the host.
  • the host is adapted to check that the integrated or external CPD is alive and operating properly and has not sent any indication on disconnection. If any of those three parameters fails the host may ignore the external device, informs the user as well as the security server, if exist. In order the recover from this situation an intervention of an administrator may be needed.
  • a mechanical securing mechanism can be used to secure the connection of the external CPD and the cable of the external device. Using the mechanical securing mechanism, the external device and the external CPD are converted into one secured device that delivers authentication and encryption.
  • the mechanical securing mechanism can be a lock with a key.
  • the mechanical securing mechanism can be a permanent lock, such as but not limited to a pin, a spring, glue, etc.
  • FIG. 1 is a simplified block diagram with relevant elements of a computer system that uses an exemplary embodiment of the present invention
  • FIG. 2A illustrates a cross section view along a cut in a connector of a CPD that can be connected to an external device
  • FIG. 2B is a simplified block diagram with relevant elements of an exemplary Connection Protector Device (CPD);
  • CPD Connection Protector Device
  • FIG. 3 is a simplified block diagram with relevant elements of an exemplary software installed in an exemplary host computer;
  • FIG. 4 is a simplify block diagram illustrating components of the host security agent according to an exemplary embodiment of the present invention
  • FIG. 5 A and FIG. 5B illustrate a flowchart with relevant steps of an exemplary method for managing an exemplary CPD.
  • FIG. 6 illustrates a flowchart with relevant steps of an exemplary method for managing an exemplary security agent at a host.
  • FIG. 1 is a simplified block diagram with relevant elements of a computer system that uses an exemplary embodiment of the present invention.
  • the illustrated embodiment operates to protect the connections between host computers 110 and external devices 115 and 113.
  • the computer system 100 can comprise a plurality of host computers 110, a private network 120, and security server 130.
  • Each host 110 is connected to at least one external device 115 or 113 via an external connection protector device (ECPD) 140 or an internal connection protector device (ICPD) 145 (respectively).
  • ECPD external connection protector device
  • ICPD internal connection protector device
  • Three instances of host computers 110, two of external devices 115 and ECPDs 140 and one external device 113 with an internal connection protector device (ICPD) 145 are shown in FIG. 1 by way of example only, and it will be appreciated that any number thereof those modules may also be used with the present invention.
  • the private network 120 may be an Intranet, Intranet, a LAN, a VPN (Virtual Private Network), or any other type of communication network.
  • CPD may refer to both external CPD (ECPD) and internal CPD (ICPD).
  • Each of the host computers 110 may be a personal computer, a workstation, a desktop computer, mainframe computer, blade server (e.g. CITRIX), dumb terminal, etc. or any other type of computing device that can be connected to an external device 115 or 113.
  • Each of the host computers 110 may also be a portable device, such as but not limited to a laptop computer, notebook computer, a smart phone, a personal digital assistant (PDA), or any other type of mobile device.
  • PDA personal digital assistant
  • External device 115 and/or 113 can be a common keyboard, a printer, an external disk, etc. that is connected via a cable or directly to a connector (port) in the host.
  • the connector can be, but is not limited to, USB, PS/2, Fire Wire or Serial.
  • a common external device 115 is an un-secured device, which means that the transportation between the external device 115 and the host 110 is not encrypted and the host cannot authenticate the external device.
  • ECPD 140 is added and is installed in between the external device 115 and the host 110 to convert the un-secured common external device 115 to a secured one.
  • External device 113 has an ICPD 145 as an inherent part of the external device 113. Therefore the communication between external device 113 and its host 110 is secured and the host 110 can authenticate the external device 113 as the authorized one.
  • Exemplary ECPD 140 can have two connectors - one for the connection with the host 110 and one for the connection with the external device 115.
  • An exemplary ECPD 140 can have a mechanical securing mechanism that secures the connection with the cable of the external device combining the common external device 115 with the ECPD 140 to one secured device.
  • the mechanical securing mechanism can be a permanent one, irreversible, or a temporary one having a lock and a key. More information on such an exemplary mechanical securing mechanism is described below in conjunction with FIG. 2A.
  • An alternate exemplary embodiment of an ECPD 140 can have an electrical mechanism that is adapted to sense any disconnection in the connection with the external device 115 and/or with the host 110 on the other side of the ECPD. Upon determining that a disconnection has been sensed the internal communication between the two connectors of the ECPD 140 can be stopped. In another embodiment, in which an ICPD 145 is used, the ICPD 145 can be adapted to sense any discontinuity in the connection between its external device 113 and the host 110. More information about the host computers 110 and the ECPDs 140 or ICPD 145 is disclosed below in conjunction with FIG. 2B, 3, 4, 5 A, 5B, and 6.
  • the security server 130 may be an element of network 120.
  • the security server 130 may be responsible for managing the security policies that are used over the private network 120.
  • a plurality of policies may be used by each host computer 110.
  • the security policies may be based on the host's degree of security, the environment that the host is working in, the type of the devices that are connected to the host computer, etc.
  • the security policies can be updated from time to time and then be loaded or reloaded into the hosts.
  • the security server 130 can be used for configuring the CPDs 140 and/or 145 and providing a signed certificate to the CPD 140 and/or 145 prior to being connected.
  • the signed certificate is used for authenticating the CPD 140 and/or 145.
  • the security server 130 can operate to ensure that all host computers 110 comply with specified security policies. For example, if a disconnection between an ECPD 140 and its associated external device 115 has been sensed, or a disconnection between an external device 113 having an ICPD 145 and its associated host 110 has been sensed, an indication may be sent to the security server 130. In response to such an indication, the access of the host computer 110 to the corporate network 120 can be prevented and an indication or notice may be sent to an administrator of the network, etc.
  • the security server 130 may periodically update the security policies that are installed in each one of the host computers 110.
  • a security agent may be installed within the host computer 110 and, among other things, operates to enforce the security policy by monitoring events in accordance with the security policy. Furthermore, the security agent is used to communicate with the CPD 140 and/or 145.
  • the security server 130 can be constructed in a variety of manners.
  • the security server 130 may comprise the following relevant modules: host communication module 132, event logger module 134, policies database 135, database 136, and a manager module 138.
  • Host communication module 132 is typically used to communicate with the plurality of host computers 110 over private network 120 while the host computers 110 are connected to the private network 120.
  • the communication between the host computers 110 and the security server 130 can be encrypted to create a secure connection between the host computers 110 and the security server 130, over which data can be sent securely.
  • the communication from the security server 130 to the host computer 110 may include: (a) the provision of updated security policies and/or periodically checking whether the installed security agent and the installed security policies have been contaminated or have been tampered with by any hostile entity, (b) checking whether a disconnection was sensed between a ECPD 140 and its associated external device 115, or (c) checking whether a disconnection was sensed between the external device 113 having the ICPD 145 and its associated host 110, etc. If a particular host computer does not have a required host security agent or security policy installed, or the security agent was infected, or a disconnection was sensed, the security server 130 can prevent further access to the corporate network until such host computer has installed and activated the required security agent or security policy.
  • the communication from the host computer 110 to the security server 130 may include: a real-time indication that is used to inform the security server 130 when the host computer 110 is connected to the private network 120, reports on events according to the security policy, reports on trials to affect the security agent, the connection between an ECPD 140 and its associated external device 115 or between the external device 113 having the ICPD 145 and its associated host 110, or the stored security policy, etc.
  • the report may include information on any disconnection between the host computer 110 and the external device, information on the data transfer, the timing of the event, etc.
  • the event logger 134 may be a storage volume that can be used to store the reports that have been sent from the users within a certain period and/or any policy violation event.
  • the reports may be retrieved and processed manually by an administrator of the private network 120 or automatically by the manager module 138, which may run several statistical algorithms to monitor the security of the network.
  • Policy database 135 is a database that includes a plurality of policies, including security policies, which may be used by the organization that owns the private networks 120.
  • a security policy may include a set of rules that are used to determine whether a given host computer can be permitted to gain access to a specific device. The security policy may depend on various factors, including but not limited to, the location of the host, the external devices, the type of applications, etc.
  • the security policy may define how to respond to an indication that a disconnection between an ECPD 140 and its associated external device 115 has been sensed, or between the external device 113 having the ICPD 145 and its associated host 110, how often to change a sessional key, etc.
  • Database 136 is a database that may include information regarding the various host computers 110 that may be connected over private network 120, the different CPDs 140 or 145, etc. This information may include items such as, but not limited to: host level of security, the type of equipment that the host possesses, the external devices to which the host computer is allowed to be connected, configuration of the security agent that is installed in the host, information about the one or more CPDs 140 or 145 that are connected, information on the different CPDs 140 or 145 that have been configured by the security server 130 but are not installed yet, etc.
  • Manager module (MM) 138 manages the operation of the security server 130.
  • the manager module 138 may initiate tasks to check the situation of the security agents and the security policies, which are installed in the host computers.
  • the MM 138 may create and send the appropriate policies to each one of the host computers 110.
  • the MM 138 may create one or more policies for a particular host.
  • the MM 138 may run Artificial Intelligence algorithms over the information that is stored in the event logger 134 and may send indications and conclusions to the administrator of the network.
  • the MM 138 may make decisions regarding certain activities of a host computer 110 and affect his connection to the private network 120 based on such decisions
  • FIG. 2 A illustrates a cross section view along a cut in a receptacle connector of an exemplary ECPD 2200 that is using a mechanical securing mechanism versus a common device 2100 having a common receptacle connector.
  • the exemplary hardware devices 2100 and 2200 are USB devices, however the present invention is not limited to being incorporated into USB devices. Devices having other types of connectors can be protected by other exemplary embodiments of the present invention.
  • the exemplary connectors that are illustrated in FIG. 2A are USB receptacle series 'A'. Electrically, Series "A" receptacles function as outputs from host computers and/or hubs. Series "A” receptacle mates with a Series "A" plug (male).
  • FIG. 2 A illustrates the section of the hardware device 2100 or 2200 to which the cable (not shown) of an external device 115 (FIG. 1) can be connected.
  • a common USB receptacle 2105 comprises an external envelope (shell) 2120a-b, an internal body 2110 for caring the contacts and bi-directional holding springs 2130 and 2140.
  • the bi-directional holding springs 2130 and 2140 are used to hold a mated plug, which is located at the end of a cable of an external device, while the external device 115 (FIG. 1) is connected to a host 110 (FIG. 1).
  • a common bi-directional holding spring 2130, 2140 has two bars 2130a&b and 2140a&b, respectively. Bars 2130b and 2140b slip over the plug during the connection of the external device and enable pushing the plug into the receptacle 2105. When disconnecting the external device 115 (FIG. 2), bars 2130b and 2140b are passive. Bars 2130a and 2140a slip over the plug being disconnected from the external device and enable pulling the plug from the receptacle 2105. While connecting the external device to the host, bars 2130a and 2140a are passive.
  • An exemplary embodiment of the present invention may replace one or more of the be-directional holding springs with a permanent, irreversible, mechanical securing mechanism (a locking mechanism).
  • An exemplary locking mechanism enables a receptacle 2205 to be mated with or receive a plug but prevents the extraction or removal or other disconnecting of the receptacle 2205 and plug.
  • An exemplary ECPD 2200 comprises an external envelope (shell) 2220a&b, an internal body 2210, a locking spring 2230 and a bi-directional holding spring 2240.
  • the shell 2220a&b and the bi-directional holding spring 2240 can be similar members as shell 2120a&b and holding spring 2140, respectively, which are described above.
  • Internal body 2210 performs similar functionality of internal body 2110 which is described above with an additional feature, a niche 2215 for hosting the locking spring 2230.
  • Locking spring 2230 can have two bars 2230a&b.
  • Bar 2230a is used as a spring for holding bar 2130b in position. While connecting the external device by inserting a plug into receptacle 2205, bar 2230b enables, or does not prevent, the plug to be pushed into the receptacle 2205 by slipping over the plug. When the plug and the receptacle 2205 are mated, bar 2230b penetrates an appropriate hole or indention in the shell of the plug and enters niche 2215 preventing the plug from being extracted.
  • the holding springs and/or the locking spring can be made of a single bar that is bent or formed to create the shape of the two bars of the springs.
  • FIG. 2230a&b Other embodiments of the present invention may use a cylindrical spring and a pin instead of locking spring 2230a&b.
  • the present invention is not limited to the shape of the locking mechanism.
  • a locking mechanism with a key can be used.
  • FIG. 2B is a simplified block diagram with relevant elements of an exemplary Connection Protector Device (CPD).
  • the ECPD 200 can comprise: an external device connection checker (EDCC) 210, an external device interface module (EDIFM) 220, a connection manipulator module (COMM) 230, a host interface module (HIFM) 240, host connection checker (HCC) 250, a CPD manager module (CPDMM) 260, a memory 270, a CPD encryption/decryption engine (CPDEDE) 235 and an energy source 280, such as but not limited to a chargeable or non-chargeable battery.
  • EDCC external device connection checker
  • EIFM external device interface module
  • COMM connection manipulator module
  • HCC host interface module
  • CPD manager module CPD manager module
  • memory 270 such as but not limited to a chargeable or non-chargeable battery
  • CPDEDE CPD encryption/decryption engine
  • the energy source 280 can be used when the host is off or disconnected.
  • the energy source is the only power source of the ECPD 200.
  • An exemplary ICPD 145 (FIG. 1) that is embedded as an integrated part of the external device 113 (FIG. 1) may comprise modules similar to the connection manipulator module (COMM) 230, the host interface module (HIFM) 240, the host connection checker (HCC) 250, the CPD manager module (CPDMM) 260, the memory 270, the CPD encryption/decryption engine (CPDEDE) 235 and an energy source 280, such as but not limited to a chargeable or non-chargeable battery.
  • the energy source is needed when a common external device does not have one. Because the ICPD is an inherent and internal part of the external device 113 there is no need for EDCC 210 or EDIFM 220.
  • EDCC 210 is adapted to sense a disconnection between an external device and an associated ECPD 200. Upon sensing a disconnection, an indication can be sent to the CPDMM 260.
  • the CPDMM 260 may proceed in different ways; it may block the connection with the external device, for example.
  • the CPDMM 260 may send an indication to the host and let the host determine how to proceed. The decision may depend on one of the security policies that fit the current situation. For example, the host may allow certain types of communication to transfer between the external device and the host, and block other types of communication, etc.
  • EDCC 210 Different types can be used by exemplary embodiments of the present invention. Some of the EDCC 210 can use mechanical mechanisms, others can be electrical modules and there are embodiments of the present invention that may use a combination of mechanical and electrical mechanism. Exemplary embodiments of the present invention in which an irreversible mechanical securing mechanism is used, such as but not limited to the one that is disclosed above, EDCC 210 may not be needed and can be eliminated.
  • An exemplary purely electrical module embodiment of an EDCC 210 utilizes the fact that the common connection between a host computer and an external device requires terminations at both end of the connection. The exemplary EDCC 210 can be adapted to sense the existence of the termination at the external device.
  • exemplary EDCC 210 can implement q similar sensing method that is used by a host computer for determining whether a USB device has been disconnected (i.e., by sensing the differential voltage). In the absence of the far end terminations, the differential voltage will nominally double as compared to when an external device is presented.
  • the EDCC 210 may be configured or enabled to periodically or a periodically send a keep-alive signal to the external device.
  • An exemplary EDCC 210 can create and send a standard question or prompt to the external device and wait for a response.
  • the EDCC 210 can send a request for the status of the keyboard as a keep-alive signal.
  • An alternate embodiment of the present invention may add a non-standard contact (i.e., a sensing contact) in the receptacle of the ECPD 200.
  • the sensing contact can be located in between the internal body and the external envelop (shell) of the receptacle.
  • the sensing contact is connected as an input to the EDCC 210.
  • the sensing contact is open.
  • the receptacle and the plug are mated and the shell of the plug is attached to the sensing contact providing a GND voltage, via the shield of the plug.
  • the GND is sensed by the EDCC 200 indicating that the ECPD 200 is connected to the external device.
  • the EDIFM 220 comprises hardware and software elements that are needed to interface with the external device. The implementation of the EDIFM 220 depends on the type of connection (port) that is used between external device 115 and host 110 (FIG. 1).
  • the EDIFM 220 can be implemented as a USB Host based on the USB specification. In operation, the output of the EDIFM 220 is transferred to the COMM 230.
  • the COMM 230 manipulates the communication between the external device 115 (FIG. 1) and its associated host 110 (FIG. 1). Different types of manipulations may be implemented.
  • the COMM 230 upon sensing a disconnection between the external device and the ECPD 200, irreversibly breaks the connection between the EDIFM 220 and the HIFM 240.
  • the COMM 230 can be implemented by a normally open latch. The latch is closed as long as the external device is connected to the CPD. However, upon sensing the first disconnection between the external device and the ECPD 200, the latch opens and remains open forever, breaking the connection between the external device and the host.
  • the COMM 230 can include a router that internally routes the transportation between the internal modules of the ECPD 200. During bootstrapping of the host, downstream communication coming from the host via the HIFM 240 to the external device is routed to the EDIFM 220; and upstream communication coming from the external device via the EDIFM 220 to the host is routed to HIFM 240.
  • downstream communication coming from the host via the HIFM 240 to the external device are routed to the CPDEDE 235 to be decrypted, and after decryption, the decrypted communication is transferred to the EDIFM 220 to be transferred to the external device; and upstream communication coming from the external device via the EDIFM 220 to the host are routed to CPDEDE 235 to be encrypted, and after encryption, the encrypted communication is transferred to the HIFM 240.
  • the COMM 230 can include the functionality of an internal router and the functionality of an irreversible normally open latch.
  • An exemplary COMM which is embedded within an exemplary ICPD 145
  • FIG. 1 may have functionality that is similar to that of the COMM 230 embedded within the ECPD 200 with a few modifications.
  • the communication between the internal modules of the external device 113 (FIG. 1) and its host 110 (FIG. 1) is manipulated by the COMM. Therefore, in the upstream direction, the COMM of an ICPD gets the information from the internal modules of external device 113. In the downstream direction the information is received from HIFM 240 as in ECPD.
  • the COMM of an ICPD can be modified to respond only to disconnections with the host.
  • the HIFM 240 comprises hardware and software elements that are needed to interface with the host.
  • the implementation of the HIFM 240 depends on the type of connection (port) that is used between external device 115 and/or 113 and host 110 (FIG. 1).
  • the HIFM 240 can be implemented as a USB Hub based on the USB specification.
  • the HCC 250 operates to sense a disconnection between the host and the ECPD 200 or between the external device 113 (FIG. 1) and its host 110. Upon sensing a disconnection, an indication can be sent to the CPDMM 260.
  • the CPDMM 260 may respond to the disconnection indication in different ways. For example, the CPDMM 260 may block the connection with the external device.
  • the CPDMM 260 may send an indication signal to the host and let the host determine how to proceed. The response of the host upon receiving the signal may depend on the particulars of the security policy that fits the current situation.
  • the host may allow certain types of communication to be transferred between the external device and the host, and block other type of communication, etc.
  • the HCC 250 is less mandatory than the EDCC 210 when the communication between the ECPD 200 and/or external device 113 (FIG. 1) and the host is secured (encrypted), therefore in such exemplary embodiments of the present invention the HCC 250 is not necessary and thus, is eliminated.
  • Different types of HCCs 250 can be used by exemplary embodiments of the present invention. Some of the HCCs 250 can use a mechanical mechanism, others can be electrical modules, and still other embodiments of the present invention may use a combination of mechanical and electrical mechanisms.
  • the HCC 250 can be implemented by one or more of the methods that are described above in conjunction with EDCC 210.
  • the CPDEDE 235 is an encryption/decryption engine that is adapted to encrypt the upstream communication coming from the external device via COMM 230 toward the host 110 and to decrypt the downstream information coming from the host via COMM 230 toward the external device.
  • CPDEDE 235 can include authentication functionality.
  • the CPDEDE 235 can use a common encrypting and authenticating algorithm including, but not limited to, a Secure Socket Layer (SSL), for example.
  • SSL Secure Socket Layer
  • Other exemplary embodiments of the present invention may use two separate algorithms, one for authentication and one for encryption. For example, an RSA algorithm or Diffie Hellman algorithm can be used for authentication while an AES, or DES, or Triple DES algorithms can be used for encryption.
  • the authentication and the encryption/decryption process can be based on the signed certificate that was delivered from the security server and was transferred to the ECPD 200 or an external device having an ICPD via the security agent during the configuration stage while the first connection to the host was done.
  • the signed certificate can include a public/private key pair.
  • an ECPD or ICPD which is adapted to be associated with a keyboard as the external device, may be adapted to create encrypted data that matches common output data of a keyboard so that it can be received and processed by a common PC keyboard controller such as the INTEL 8042 microcontroller that is located at the host.
  • the controller may reside on the communication path before the decryption module in the host computer.
  • the controller may be configured to only accept a specific domain of values as valid data. During the encryption process, the domain of potential outputs may be different than the domain of valid data values. Therefore a CPDEDE 235 that belongs to a CPD that is associated with a keyboard may include a keyboard adaptation module at the output of the encryption/decryption engine to convert the encrypted output data into a format that will be accepted and passed through the controller.
  • An exemplary keyboard adaptation module may be adapted to receive the encrypted output, check whether the received output is compliant with a keyboard standard and whether the encrypted combination is a legal output of a keyboard. If the output is compliant and a legal output, the encrypted data is transferred as is toward the host. If the output is not compliant or legal, the illegal block of data can be converted into two legal blocks of data, the first block can be used as an indication to the keyboard adaptation module at the host.
  • an embodiment may define the symbol * as the indication for an illegal encrypted block of data.
  • a lookup table LUT
  • the first one is always the indicator, such as *, and the second represents the illegal block.
  • the symbol * although it is a legal combination is also replaced by two blocks.
  • the symbol * can be the first entry in the LUT and it will be converted into two blocks, the first will be * and the second can be 0, for example.
  • an exemplary embodiment of the present invention may use a stream cipher encrypting method such as RC4 to transfer one keystroke at the time.
  • the size of the plain text is similar to the size of the cipher text.
  • block cipher-encrypting method such as but not limited to AES, additional data has to be added to each keystroke to maintain compliance with the required size of the block.
  • a key exchange session is initiated by an Encryption/Decryption engine that is located at the security agent.
  • the CPDEDE 235 sends its signed certificate to the security agent. If an SSL algorithm is used, the following process can be initiated.
  • the security agent upon receiving the signed certificate and authenticating the CPD, can respond by drawing a random number that will be used as a sessional key, and then encrypting the sessional key using the public key.
  • the public key is the embedded in the signed certificate.
  • the CPDMM 260 is the control module of the ECPD 200 and it can be implemented, for example, by a microprocessor using a program that is stored in memory 270. Memory 270 can include a non-volatile section and volatile section.
  • the CPDMM 260 is adapted to communicate with the security agent at the host, and with the security server.
  • the configuration of the ECPD 200 can be performed by an administrator of the network 120 (FIG. 1) via the security server 130 (FIG. 1). During the configuration, a signed certificate is granted to the CPD and the security software, including relevant one or more security policies, are loaded into the non-volatile section of memory 270.
  • the CPDMM 260 controls the operation of the COMM 230 based on indications coming from the EDCC 210 and the HCC 250 (if one exists), commands received from the security agent, and the current situation or mode of operation of the host (a bootstrap session or a common operation). In addition, when the CPDMM 260 suspects that the connection with the security agent has become infected, it can override the instructions coming from the security agent.
  • a CPDMM utilized within or in conjunction with an exemplary ICPD may have similar functionality as described for the CPDMM 260.
  • the ICPD is internal part of the external device 113 (FIG. 1), it can be implemented by software modules that are executed by the processor within the external device 113 or by a processor that is dedicated to the functionality of the ICPD.
  • the ICPD should be configured before connecting the external device 113 (FIG. 1) to its associated host 110.
  • the configuration of ICPD can be preformed by an administrator of the network 120 (FIG. 1) via the security server 130 (FIG. 1). During the configuration, a signed certificate is granted to the ICPD and the security software including relevant one or more security policies are loaded to the non- volatile section of memory 260.
  • FIG. 3 is a block diagram with the relevant elements of a host system 300 that may be used in an exemplary host computer 110 (FIG. 1).
  • the host system 300 may comprise one or more application programs 310a-c, one or more device drivers 320a- c, a security agent module 330, one or more physical communication ports or bus drivers (stack) 340a-c, a core kernel module 360 and one or more physical communication ports or buses 350a-c.
  • the data transportation between a host computer and a device in one direction flows in a path from an application 310a- c to a physical communication port 350a-c through the appropriate device driver 320a-c, security agent 330 and the appropriate port driver 340a-c.
  • the data transportation flows from a physical communication port 350a0c to an application 310a-c through the appropriate port driver 340a-c, the security agent 330 and the appropriate device driver 320a-c.
  • the host system 300 may be stored in a fixed storage medium (e.g. a disc, flash memory, a read-only memory (ROM) etc.). During the operation of the host computer, one or more of the software modules may be retrieved from the fixed storage medium and may be loaded into a temporary memory such as a random-access memory (RAM).
  • a fixed storage medium e.g. a disc, flash memory, a read-only memory (ROM) etc.
  • the core kernel 360, the device drivers 320a-c and the port/buses drivers 340a-c may jointly be referred to as the operating system (OS) of the host computer 300 or 110 (FIG. 1).
  • the OS may manage low-level aspects of the host computer operation, including managing the execution of processes, memory allocations, file input and output (I/O) and device I/O.
  • An exemplary OS suitable for embodiments of the present invention may include Windows NT or XP, Unix, MAC OS, VMS; LINUX, SYMBIAN, PALMOS, etc.
  • One or more application programs 310a-c may be transferred from a fixed storage medium into the RAM for execution by the host system 300.
  • the application program 310a-c may be a program such as, but not limited to, word processing, Log On, Financial software, and communication applications such as, but not limited to, applications that utilize Bluetooth or WiFi protocols, Internet browser and Java applications for synchronization with external Java devices, such as but not limited to backup storage applications, etc.
  • the appropriate device driver 320a-c may be invoked.
  • the device driver 320a-c is used as an intermediary between the core kernel 360 and/or one or more application programs 310a-c and the external device itself.
  • Exemplary external devices can include: a keyboard, a removable storage device, a printer, a WiFi dongle, etc.
  • a device driver 320a-c is supplied by the vendor of the device itself.
  • a port driver 340a-c may also be invoked.
  • the port driver/bus driver 340a-c is used to organize the communication according to the protocol that is used over the physical communication port 350a-c. For example, if communication port 350 is a USB port, then a USB driver (USB stack) is needed.
  • the above-described computer software is for illustrating the basic desktop and server computer components that may be employed by a host computer 310a-c (FIG. 1).
  • a security agent 330 is added by an exemplary embodiment of the present invention.
  • the security agent 330 may be installed in the standard storage of the host system 300 and it may be invoked during the power on cycle of the host computer 310a-c and remain active for the entire operation of the system. In other embodiments of the present invention, the security agent 330 may be burned onto a physical memory, such as the ROM, PROM, BIOS, etc. The security agent 330 may be installed as a section of the OS and can be handled by an administrator having the appropriate permissions. The security agent 330 may be installed in between the core kernel 360 and the one or more communication port/bus drivers 340a-c. Security agent 330 may act as a proxy for both sides. The security agent 330 may be transparent to the user (i.e., it may not have any icon or indication to inform its existence to the user).
  • the security agent 330 may emulate a kernel device driver and will receive the communication between the device driver 320a-c and the core kernel 360. During the installation and/or periodically, from time to time, the security agent 330 may register in the appropriate location in the core kernel as the first device driver for receiving the communication from/to the different physical communication port/bus drivers. For example, if the OS is a Microsoft product, than the security agent 330 may register in the registry as the first device driver to get the communication. The registration may be done in a class level or in a device level. Exemplary class levels for the registration may be USB, keyboard, Fire Wire, CD-ROM drivers, Disk Controller, etc. In some operating systems, the device driver may be constructed from a stack of two or more sub-device-drivers.
  • the security agent 330 may collect information from at least one of the two or more sub-device-drivers.
  • the stack of the relevant sub-device-drivers can include: usbhub, hidhub, kbdhid & kbdclass.
  • the security agent may collect information from any of the four sub-device-drivers.
  • the security agent 330 may emulate a filter procedure but, instead of providing the functionality of a common storage filter driver, the security agent performs security checking.
  • a filter may perform device-specific functionality that is not provided by a class device driver.
  • the security agent 330 may emulate more than one type of filter driver.
  • the number of types of filters that may be emulated by the security agent 330 can be configured according to the number of physical communication ports and devices that the security agent 330 operates to check the transportation of and by the one or more ECPDs 140 and/or ICPDs 145 (FIG. 1) that are connected to the host.
  • the security agent 330 may be activated when an appropriate physical communication port is requested.
  • the appropriate physical communication port is the one to which the ECPD 140 and/or ICPD 145 (FIG. 1) is connected.
  • the security agent can be invoked when a device driver 320 that is associated with the appropriate external device 115 or 113 (FIG. 1) requests an access to the external device.
  • the security agent 330 may communicate with the appropriate ECPD 140 and/or ICPD 145 (FIG. 1), authenticate that the existing ECPD 140 and/or ICPD 145 (FIG. 1) is the appropriate one, if it is the appropriate one, (a) collecting status information from the ECPD 140 and/or ICPD 145 (FIG.
  • connection between the ECPD 140 and/or ICPD 145 (FIG. 1) and the host 110 may also be checked.
  • the security agent allows the communication to and from the external device without further processing.
  • the security agent 330 may instruct the appropriate ECPD 140 and/or ICPD 145 (FIG. 1) to encrypt the communication toward the host. If the ECPD 140 and/or ICPD 145 (FIG. 1) is the appropriate one and the connection has not been affected, one exemplary embodiment of the present invention, in which the connection between the ECPD 140 and/or ICPD 145 (FIG. 1) and the host is also checked, the security agent allows the communication to and from the external device without further processing.
  • the security agent 330 may instruct the appropriate ECPD 140 and/or ICPD 145 (FIG. 1) to encrypt the communication toward the host. If the ECPD 140 and/or ICPD 145 (FIG. 1) is the appropriate one and the connection has not been affected, one exemplary embodiment of the present invention, in which the connection between the ECPD 140 and/or ICPD 145 (FIG. 1) and the host is also checked, the security agent allows the communication
  • the security agent may respond by taking one of, or any combination of, the following actions: (a) blocking the transportation to and from the external device, (b) informing the user, and (c) informing the security server 130 (FIG. 1). Selecting the appropriate action or combination can depend on the embodiment of the present invention or may be defined by the security policy that is currently in use.
  • the following responses may be needed: (a) the user may be requested to check the connections, and by using a password to reset the security agent; (b) an administrator of the network is requested to check the connection and reset the security agent; (c) the ECPD 140 or external device 113 (FIG. 1) has to be replaced; (d) the ECPD 140 or external device 113 (FIG. 1) has to be reconfigured by the security server 130 (FIG. 1), etc. Selecting the appropriate action or the combination can depend on the embodiment of the ECPD or may be defined by the security policy that is currently in use.
  • security agent 330 may initiate a sessional key replacement session with the ECPD 140 or ICPD 145 (FIG. 1); may check the connection with the ECPD 140 or ICPD 145 (FIG. 1) and requests a status update; may request policy update with the security server, etc. More information about the operation of security agent 330 is disclosed below in conjunction with the description of FIGS. 4, 5A, 5B and 6.
  • a security agent 330 in which the data transportation from an external device to a host is obfuscated by manipulating existing features of the external device, can be adapted for manipulating those features.
  • the security agent can alternate between "Scan-code” 1 and "Scan-code” 2. Alternating from one "Scan- code” to the other can be randomly or pseudo randomly.
  • the security agent module 330 can be adapted to route the received information toward an LUT for converting the unmatched key stroke data into the appropriate one that matches the host.
  • Each entry in the LUT can match data coming from a keystroke in one "Scan- Code" while the data stored in each entry reflects the correct data that is supposed to be received in response to clicking the certain keystroke.
  • the host system may comprise some additional modules, such as the modules disclosed above in conjunction with the description of the security server 130 (FIG. 1).
  • the additional modules may perform the configuration stage of a new ECPD 140 or external device 113 (FIG. 1), for example.
  • FIG. 4 is a block diagram with the relevant elements of a software program 400 that may be used by an exemplary security agent 330 (FIG. 3).
  • Software program 400 and its associated application can be loaded by an administrator of the network 120 (FIG. 1) or a private user if the host is not connected to a network while installing the CPD (ECPD or an external device with an ICPD).
  • Loading the software can be done from the security server 130 (FIG. 1) or from a CDROM, for example, that is associated with the new CPD.
  • the software program 400 may comprise a Security Agent Manager Module
  • the SAMM 410 may manage the operation of the security agent 400.
  • the SAMM 410 is responsible for communicating with the security sever 130 (FIG. 1), verifying that the CDP is valid, collecting the relevant one or more policies from the security server, loading an appropriate policy to the CPD, selecting a sessional key to be used for encrypting the communication between the CPD and the host, etc.
  • the SAMM 410 may use an appropriate application 310a-c (FIG. 3).
  • the SAMM 410 collects status information from the CPD, checks the connection with the CPD, selects a sessional key and manages the other operations of the security agent 330 (FIG. 3).
  • the bank of security policies 420 can comprise one or more security policies that are loaded from time to time from the security server 130 (FIG. 1).
  • a typical policy may include information such as, but not limited to: when to replace a sessional key; how often to collect status from the CPD; how to react to a disconnection indication between the CPD (for ECPD only) and its associate external device; how to react to a disconnection between the host and its associate CPD (ECPD or an external device with an ICPD); how to recover from an alarm situation, identify a revocation list of CPDs, etc.
  • the stored policies can be adapted to the user, the host, the external device, the type of the CPD, etc.
  • the SAMM 410 may select an appropriate policy when it is needed, may update the policy at the CPD and may update the current policies that are stored in bank of security policies 420 with an updated policy.
  • the SAEDE 430 acts as the authentication and encryption decryption engine of the host. It may perform the inverse functionality of the CPDEDE 235 (FIG. 2B).
  • the SAEDE 430 may need additional adaptations to decode the conversion of the keyboard adaptation module that is used by the CPDEDE 235 as was depicted above.
  • the decoder of the keyboard adaptation module can be installed in front of the SAEDE 430.
  • the decoder may search the incoming blocks of data looking for the symbol *, for example, that is used for indicating a combination of two blocks that represent an illegal encrypted block of data.
  • the decoder converts the two blocks of data into the original illegal block.
  • the illegal block is transferred to the decryption engine of SAEDE 430. More information about the operation of the software program 400 is disclosed below in conjunction with the description of FIGS. 5a&b and 6.
  • the security agent may include some of the functionality that is preformed by the CPD.
  • the security agent can comprise a software module for sensing the continuity of the connection with the external device.
  • Different software modules can be used to implement this aspect of the invention. For example, if the security agent protects a USB connection, the security agent can be associated with the operating system and get a disconnection indication from the operating system of the host when the host determines that the USB external device has been disconnected. If the external device is not connected to a USB port, the security agent may send, from time to time, a keep alive signal to the external device and based on the response, can determine the continuity of the connection.
  • An exemplary CPD can create and send a standard question to the external device and wait for a response.
  • the CPD can send a request for the status of the keyboard as a keep-alive signal, for example.
  • the security agent may comprise a software module for sensing the continuity of the connection with the external device.
  • a security agent can be capable of identifying a keyboard initialization code as an alert to a reconnection of a keyboard, for example.
  • the security agent may include a power off section that saves the indication received on the occurrence of these events: disconnection and/or power off.
  • the indication may include the time when the event occurred.
  • the security agent may block the communication to or from the relevant port driver and the device driver.
  • FIGS. 5 A and 5B illustrate a flowchart depicting relevant steps of an exemplary method 500 for providing aspects of the present invention.
  • the method 500 may be used by exemplary ECPD 140 (FIG. 1) to prevent eavesdropping of data communication over a connection between an external device 115 and its host computer 110. With few modifications, which are depicted below, the method 500 can be used also by an ICPD 145 (FIG. 1).
  • the method 500 can be used by the ECPD 140 after the configuration stage.
  • the configuration stage can be initiated by plugging the ECPD into an appropriate port at the security server (a USB port for an ECPD that is adapted to protect a USB device, for example) by an administrator of network 120 (FIG. 1).
  • the configuration is typically performed before the installation of the ECPD 140 between the external device and its host.
  • an external device 113 (FIG. 1) with an ICPD 145
  • the external device 113 has to be plugged into the security server for the configuration stage.
  • a signed certificate is assigned to the new CPD (ECPD or ICPD).
  • the signed certificate can comprise a public/private key pair.
  • the private key can be drawn randomly by the security server 130 (FIG. 1).
  • information on the new CPD and its associated signed certificate is stored in the database of the security server 130. This information can be retrieved when the relevant CPD (ECPD 140 or ICPD 145) is installed for controlling the communication between the host and the external device.
  • the CPD (ECPD 140 or ICPD 145) can be removed from the security server and is ready to be installed.
  • the configuration can be performed remotely from the security server by an authorized person, such as but not limited to the administrator of network 120 (FIG. 1).
  • the administrator can plug the relevant external device 113 or ECPD 145 (FIG. 1) into a computer that is connected to network 120, for example the administrator's computer, and communicate with the security server to configure the new external device 113 or ECPD 140.
  • the configuration can be performed by using the administrator or the user via the host computer.
  • the configuration can be performed by a software program that is delivered with the CPD (ECPD 140 or ICPD 145).
  • a signed certificate has to be delivered in association with the software and the CPD.
  • the software can be loaded into the host for the configuration stage.
  • the ECPD is plugged into the appropriate port (socket) at the host, without connecting the external device, or the external device 113 (FIG. 1) with the ICPD 145 is plugged for the first time to the host.
  • Such a configuration method can be done when the host is not connected to network 120.
  • a dummy external device can be used for the configuration stage.
  • the dummy external device may be delivered with the ECPD and may emulate the external device.
  • the method 500 may be initiated 510 during the installation of a configured ECPD 140 (FIG. 1) over the connection between the host and the external device or when connecting an external device 113 having a configured ICPD 145 (FIG. 1) to the host.
  • the Installation can be performed by an authorized person, such as the administrator of network 120 (FIG. 1).
  • the ECPD (without the external device) or the external device 113 having the configured ICPD 145 (FIG. 1) is connected to the appropriate port (socket) at the host computer 110 (FIG. 1).
  • the software of the security agent 330 (FIG. 3) can then be loaded into the host. Loading the security agent can be done from the security server 130 (FIG.
  • the security agent sets a connection with the CPD (the ECPD or the ICPD) and an authentication process is initiated.
  • the security agent and/or the CPD can authenticate the person who controls the installation. If the person is compliant with the requirements, then the authentication stage between the CPD and the host is started.
  • a key exchange session is started and the CPD (ECPD 140 or ICPD 145) sends its signed certificate to the host 110 (FIG. 1).
  • the host upon receiving the signed certificate and authenticating the CPD, can respond by (a) drawing a random number that is used as a sessional key, and (b) encrypting the sessional key using the public key.
  • the public key is embedded in the signed certificate.
  • the CPD decrypts the sessional key using its private key and from this moment forward, the CPD and the host utilize the sessional key to encrypt/decrypt the communication between them.
  • the CPD becomes transparent, (i.e., acts as a HUB) to allow the connection with the external device 115 or 113 (FIG. 1).
  • an instruction to connect the external device to the receptacle of the ECPD is then displayed.
  • the SSL protocol can be used for protecting the communication between the external device 113 or 115 and its associated host 110 (FIG. 1).
  • the CPD (ECPD or ICPD) and the security agent which are transparent, cooperate to allow free transportation between the external device and the host.
  • the free transportation enables the connection to be established between the external device and the host.
  • an instruction to the CPD (ECPD or ICPD) is sent to set the "Host ready flag" and to start the connection protection loop.
  • An indication can be displayed, informing the user/administrator that the installation of the CPD is successfully terminated and that the connection between the external device and the host is protected.
  • the transparent stage of the CPD is terminated. From this moment forward, the continuity of the connection with the external device is checked and transportation between the external device and the host will be encrypted in an exemplary embodiment of the present invention using an encryption/decryption engine in the CPD and the security agent.
  • an exemplary connection protection loop can be started 516.
  • the loop can be managed by the CPDMM 260 (FIG. 2b), for example.
  • the loop can run as long as the CPD (ECPD or ICPD) has power.
  • Verifying the continuity of the connection can be done by the checking the state of a disconnected indication that can be created by the EDCC 210 (FIG. 2), for example.
  • a decision is made whether a disconnection between the ECPD and the external device is sensed. If a disconnection is not sensed, then the condition of the host is checked 530.
  • the transportation to and from the external device is manipulated (for instance it may be blocked) 540.
  • Different methods for manipulating the transportation are described above, including but not limited to blocking the transportation between the two connectors of the ECPD.
  • An indication that the connection with the external device was disturbed is sent to the host 542 and the method 500 waits 544 for acknowledgement.
  • the method 500 terminates 544. If 544 acknowledgement is not received, the method 500 may run in a loop 542, 544, while blocking 540 the communication with the host. Restarting of the method 500 may require another reconfiguration stage to be entered.
  • the security agent upon receiving the message, may inform the user and/or the security server.
  • step 530 the host is checked. If the host is ON, then the method 500 proceeds to step 550 in FIG. 5B. If 530 the host is OFF, the "Host ready flag" is reset 532. Depending on the exemplary embodiment of the present invention, the method 500 can proceed to step 534 as is illustrated in FIG. 5A or directly to step 538 (this branch is not illustrated).
  • an exemplary CPD (ECPD or ICPD) contains an HCC 250 (FIG. 2B) then the method 500 proceeds, according to the drawing, to step 534 and verifying the continuity of the connection with the host. Verifying the continuity of the connection can be done by checking the state of a disconnected indication that can be created by the HCC 250 (FIG. 2). If 536 a disconnection between the CPD and the host was sensed, the transportation to and from the external device is blocked (or otherwise manipulated) 540. If 536 a disconnection has not been sensed or the exemplary embodiment of the present invention does not contain an HCC 250, the method 500 waits 538 a period 'Dl' and returns to the beginning of the loop to step 516. Period 'Dl ' can be in the range of few hundreds of milliseconds to few seconds.
  • FIG. 5B 5 the steps of the method 500 that are performed when the host computer is ON (step 530 FIG. 5A) are illustrated in a flow chart format.
  • the CPD ECPD or ICPD
  • Period 'D2' is configured to give sufficient time to the host computer to bootstrap and to set a connection with the external device. At the end of 'D2', the transparent stage of the CPD is terminated. From this moment forward, the continuity of the connection with the external device is checked (for an ECPD only) and transportation between the external device and the host can be manipulated by the CPD (ECPD or ICPD).
  • a connection is requested 554 with the security agent.
  • the request for the connection can be sent from the CPD (ECPD or ICPD) to verify that the host was not affected and that the appropriate security agent was not removed.
  • an authentication is performed. If 556 the authentication or setting the connection have not succeeded, the transportation to and from the external device is blocked (or otherwise manipulated) 558 and the method 500 terminates 559. Restarting of the method 500 may require another reconfiguration stage to be entered. Different methods for manipulating the transportation are described above. If the authentication process succeeded 556, the encryption/decryption engine (if one exists) can be initiated and the method 500 proceeds to step 560.
  • the decision can be based on different criteria.
  • One exemplary embodiment of the present invention may use a time criteria and replace the sessional key after a certain period.
  • Other exemplary embodiment of the present invention can replace the sessional key according to the usage of the external device, etc.
  • the security agent may determine whether to replace the sessional key and not the CPD (ECPD or ICPD).
  • steps 560, 562 and 564 may be preformed by the security agent and not by the CPD.
  • the method 500 waits 566 for period 'Dl' and returns to the beginning of the loop, to step 516 FIG. 5 A. If 562 there is a need to replace the sessional key, then the sessional key is replaced 564 using a method similar to one of the methods that are depicted above. After replacing the sessional key, the method 500 waits 566 for period 'Dl' and returns to the beginning of the loop, to step 516 FIG. 5 A.
  • FIG. 6 illustrates a flowchart depicting relevant steps of an exemplary method to verify the installed CPD or connectivity to the CPD has been affected.
  • the method 600 may be used by an exemplary security agent 330 (FIG. 3) for verifying that the installed CPD (ECPD 140 or ICPD 145, FIG. 1) was not affected or that the connection between the external device and the host was not affected.
  • the methods 600 and 500 can run in parallel, independently and not synchronized to eliminate replacing one of the elements (CPD or SA) by a fraud.
  • the method 600 can be initiated after the installation process of the CPD (ECPD 140 or ICPD 145, FIG. 1) as is depicted above.
  • the method 600 can start 610 at the end of a bootstrap process of the host and after the external devices have been introduced to the host.
  • a connection with the security server 130 can be established to collect updated information including, but not limited to, am updated policy and/or updated revocation list. If the relevant CPD (ECPD 140 or ICPD 145, FIG. 1) appears in the revocation list, then the method 600 may block the communication with the external device, inform the user and the security server and method 600 can terminate. If the relevant CPD does not appear in the revocation list, the method 600 proceeds to step 614 and starts a loop that runs as long as the host is active.
  • a connection is set with the CPD (ECPD 140 or ICPD 145, FIG. 1) and an authentication process is initiated.
  • the authentication process can be similar to the ones that are disclosed above.
  • a decision is made 620 whether the authentication process terminated successfully. If 620 the authentication fails, the security agent may block (or otherwise manipulate) 632 the transportation from/to the appropriate port driver 350a-c (FIG. 3) to/from the appropriate device driver 320a-c (FIG. 3).
  • an indication regarding entry into such a condition can be sent to the user and/or to the security server. This indication operates to inform relevant processes that the connection between the host and the external device has been manipulated and method 600 terminates 634.
  • restarting the security agent may require replacing the current ECPD (or the entire external device 113 having an ICPD 145, FIG. 1) or reconfiguring it.
  • the security agent can retrieve 626 the status of the ECPD, which includes information on the connection between the ECPD and the external device. Based on this information a decision can be made as to whether a disconnection has happened between the ECPD and the external device.
  • the status may include information on the connection between the CPD (ECPD 140 or ICPD 145, FIG. 1) and the host. In such an embodiment, the decision can be affected also from the continuity of the connection between the CPD and the host. If 630 the connection was affected then method 600 proceeds to step 632.
  • method 600 may wait for a period 'DHl' and return to the beginning of the loop at step 614.
  • Period 'DHl ' can be longer than 'Dl', 'DHl' can be in the range of few seconds to few minutes.
  • unit and “module” are used interchangeably. Anything designated as a unit or module may be a stand-alone unit or a specialized module.
  • a unit or a module may be modular or have modular aspects allowing it to be easily removed and replaced with another similar unit or module.
  • Each unit or module may be any one of, or any combination of, software, hardware, and/or firmware.
  • the word computer or host computer represent any end user device, which has computing power. It includes among others cellular phones, PDAs, personal computer or other types of end equipment with a CPU that can be connected to external devices.
  • each of the verbs, "comprise” “include” and “have”, and conjugates thereof, are used to indicate that the object or objects of the verb are not necessarily a complete listing of members, components, elements, or parts of the subject or subjects of the verb.

Abstract

On peut observer et suivre la qualité d'une connexion entre un dispositif extérieur et un ordinateur hôte pour déterminer s'il y a connexion ou non. Si on décèle un état de déconnexion, on peut en informer l'hôte et parallèlement manipuler les données de transport en provenance ou à destination du dispositif extérieur. Dans certaines exécutions, un dispositif protecteur de connexions (CPD) exemple peut être ajouté à la connexion entre le dispositif extérieur et l'hôte. Le CPD peut comporter deux connecteurs, l'un pour l'hôte et l'autre pour le câble du dispositif extérieur. Le CPD peut servir à identifier tout défaut dans la connexion avec l'hôte et/ou dans la connexion avec le dispositif extérieur de l'autre côté du CPD.
PCT/IL2006/001158 2005-10-06 2006-10-04 Procede et systeme de securisation des entrees d'un dispositif exterieur vers un hote WO2007039904A2 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US12/089,128 US8954624B2 (en) 2005-10-06 2006-10-04 Method and system for securing input from an external device to a host
EP06796151A EP1940405A4 (fr) 2005-10-06 2006-10-04 Procede et systeme de securisation des entrees d'un dispositif exterieur vers un hote
AU2006298428A AU2006298428B2 (en) 2005-10-06 2006-10-04 Method and system for securing input from an external device to a host

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US59661605P 2005-10-06 2005-10-06
US60/596,616 2005-10-06
US76623106P 2006-01-03 2006-01-03
US60/766,231 2006-01-03

Publications (2)

Publication Number Publication Date
WO2007039904A2 true WO2007039904A2 (fr) 2007-04-12
WO2007039904A3 WO2007039904A3 (fr) 2009-04-30

Family

ID=37906571

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2006/001158 WO2007039904A2 (fr) 2005-10-06 2006-10-04 Procede et systeme de securisation des entrees d'un dispositif exterieur vers un hote

Country Status (4)

Country Link
US (1) US8954624B2 (fr)
EP (1) EP1940405A4 (fr)
AU (1) AU2006298428B2 (fr)
WO (1) WO2007039904A2 (fr)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8650543B1 (en) * 2011-03-23 2014-02-11 Intuit Inc. Software compatibility checking
US9811654B2 (en) * 2014-06-11 2017-11-07 Dell Products L.P. Systems and methods for providing authentication using a managed input/output port
GB2543072B (en) * 2015-10-07 2021-02-10 Enclave Networks Ltd Public key infrastructure & method of distribution
US10778722B2 (en) * 2016-11-08 2020-09-15 Massachusetts Institute Of Technology Dynamic flow system
CN109543475B (zh) * 2018-10-29 2020-07-07 北京博衍思创信息科技有限公司 一种外接式终端防护设备及防护系统
CN111092903A (zh) * 2019-12-26 2020-05-01 安徽长泰信息安全服务有限公司 一种处理网络安全事件的方法
CN112182674B (zh) * 2020-09-23 2021-11-26 新沂市宏展电子科技有限公司 一种利用压强差节能型对usb接线座自动保护的加密装置

Family Cites Families (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US778924A (en) * 1903-12-15 1905-01-03 Clifton T Umsted Riveting device.
US4930096A (en) * 1987-01-22 1990-05-29 Man Design Co., Ltd. Data-transmitting apparatus having connecting plug
IL103062A (en) * 1992-09-04 1996-08-04 Algorithmic Res Ltd Data processor security system
US5815577A (en) * 1994-03-18 1998-09-29 Innovonics, Inc. Methods and apparatus for securely encrypting data in conjunction with a personal computer
US5812536A (en) * 1995-07-05 1998-09-22 Pitney Bowes Inc. Secure accounting system employing RF communications for enhanced security and functionality
KR0174978B1 (ko) * 1995-12-30 1999-04-01 김광호 하드웨어로 구현된 디지탈 컴퓨터 시스템 보안 장치
US6019281A (en) * 1997-12-22 2000-02-01 Micro General Corp. Postal security device with display
US6128743A (en) * 1998-09-28 2000-10-03 Pertech, Inc. Intelligent system and method for universal bus communication and power
WO2000019382A1 (fr) * 1998-09-29 2000-04-06 Stamps.Com, Inc. Système d'affranchissement en ligne
US6321335B1 (en) * 1998-10-30 2001-11-20 Acqis Technology, Inc. Password protected modular computer method and device
US6745330B1 (en) * 1999-06-22 2004-06-01 Hewlett-Packard Company, L.P. Computer system having peripheral device look
US7032240B1 (en) * 1999-12-07 2006-04-18 Pace Anti-Piracy, Inc. Portable authorization device for authorizing use of protected information and associated method
US6628517B1 (en) * 2000-04-11 2003-09-30 Hewlett-Packard Development Company, L.P. Connector system for a docking station of a portable computer system
US7299303B2 (en) * 2002-01-16 2007-11-20 Microsoft Corporation System and method for pendant bus for serially chaining multiple portable pendant peripherals
US7478235B2 (en) * 2002-06-28 2009-01-13 Microsoft Corporation Methods and systems for protecting data in USB systems
JP2004157604A (ja) * 2002-11-01 2004-06-03 Matsushita Electric Ind Co Ltd Usb機器制御方法および装置
US7284278B2 (en) * 2003-03-04 2007-10-16 Dell Products L.P. Secured KVM switch
BR0302727A (pt) 2003-07-08 2005-03-29 Guido Costa Souza De Araujo Cifrador externo de teclado
AU2004295851B2 (en) 2003-12-03 2010-03-11 Safend Ltd Method and system for improving computer network security
US8281114B2 (en) * 2003-12-23 2012-10-02 Check Point Software Technologies, Inc. Security system with methodology for defending against security breaches of peripheral devices
US7814024B2 (en) * 2004-05-14 2010-10-12 Ching Peter N Multi-way transactions related data exchange apparatus and methods
TW200513865A (en) * 2004-09-17 2005-04-16 Via Tech Inc USB control circuit with function of switching between host mode and controlled mode and its operating method
US20060107073A1 (en) * 2004-11-12 2006-05-18 International Business Machines Corporation System and method for equipment security cable lock interface
US7823214B2 (en) * 2005-01-07 2010-10-26 Apple Inc. Accessory authentication for electronic devices
US8024500B2 (en) * 2005-08-15 2011-09-20 Research In Motion Limited Universal peripheral connector
EP1793322A1 (fr) * 2005-11-30 2007-06-06 Nagracard S.A. Module de sécurité évolutif
US8307055B2 (en) * 2008-01-22 2012-11-06 Absolute Software Corporation Secure platform management device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of EP1940405A4 *

Also Published As

Publication number Publication date
EP1940405A4 (fr) 2011-06-29
AU2006298428A1 (en) 2007-04-12
EP1940405A2 (fr) 2008-07-09
WO2007039904A3 (fr) 2009-04-30
US20090125646A1 (en) 2009-05-14
AU2006298428B2 (en) 2012-09-06
US8954624B2 (en) 2015-02-10

Similar Documents

Publication Publication Date Title
CN110799941B (zh) 防盗和防篡改的数据保护
US10678913B2 (en) Apparatus and method for enhancing security of data on a host computing device and a peripheral device
KR101939078B1 (ko) 호스트 컴퓨팅 디바이스와 주변기기의 데이터의 보안을 강화하기 위한 장치및 방법
AU2006298428B2 (en) Method and system for securing input from an external device to a host
US9734094B2 (en) Computer security system and method
US7818790B1 (en) Router for use in a monitored network
TW200529002A (en) System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication
EP1949288A1 (fr) Procedes et systemes d'association d'une puce securisee integree a un ordinateur
CN105099705B (zh) 一种基于usb协议的安全通信方法及其系统
CN103080946A (zh) 用于安全地管理文件的方法、安全设备、系统和计算机程序产品
US20130054767A1 (en) Autonomous network device configuration method
CN112073380B (zh) 一种基于双处理器kvm切换与密码隔离的安全计算机系统
US8285984B2 (en) Secure network extension device and method
CN113626803A (zh) 一种bmc固件的保护方法、系统、装置及可读存储介质
CN101420299B (zh) 提高智能密钥设备稳定性的方法和智能密钥设备
JP6981078B2 (ja) セキュアエレメント、コンピュータプログラム、デバイス、サーバ及びデバイス監視方法
KR102444356B1 (ko) 보안 강화 인트라넷 접속 방법 및 시스템
JP4164069B2 (ja) 電子メール装置、電子メールシステム及び電子メール送信方法
JP4866150B2 (ja) Ftp通信システム、ftp通信プログラム、ftpクライアント装置及びftpサーバ装置
WO2021148783A1 (fr) Dispositif de chiffrement
EP1944942A1 (fr) Procédé de vérification de la configuration en cours dans un équipement réseau, et équipement réseau
AU2011101715A4 (en) An Internet Security Device
AU2011200015A1 (en) An Internet Security Device
Müller et al. Tamperproof Authentication to Resist Keylogging

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2006796151

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2006796151

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2006298428

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 911/MUMNP/2008

Country of ref document: IN

ENP Entry into the national phase

Ref document number: 2006298428

Country of ref document: AU

Date of ref document: 20061004

Kind code of ref document: A

WWP Wipo information: published in national office

Ref document number: 2006298428

Country of ref document: AU

WWP Wipo information: published in national office

Ref document number: 2006796151

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 12089128

Country of ref document: US